We have had a break from Trickbot hitting the UK in last week or so, that generally means that the criminals are experimenting with new delivery systems. The reappearance on Monday 25 June 2018 confirms this. I am not sure how successful this new system will be because it uses an exploit CVE-2018-8174 ( which only affected Internet Explorer) which was fixed in May 2018 windows updates, so I doubt there are enough vulnerable systems around that makes this worthwhile continuing with the campaign. Instead of the usual word docs with either macros, embedded ole objects or using the Microsoft equation editor exploits, they have switched to a multi-faceted download system, with several redirects & roadblocks that involves directly delivering a VBS delivered via a look-a-like or typo-squatted site that imitates a genuine Barclays Bank site.

I couldn’t get any payload or anything from the sites yesterday when this arrived. Slightly later in the afternoon other researchers did get the malware chain and the payloads. I had to go for a hospital appointment and treatment shortly after these arrived and by the time I got home late in the evening, I was too exhausted to do anything more with them until this morning.

This example is an email containing the subject of “Barclays Secured Message: New Message Received ” pretending to come from Barclays Bank but actually coming from a look-a-like or typo-squatted domain “message@securemail-barclays.com” with link in the email body is today’s latest spoof of a well-known company, bank or public authority eventually delivering Trickbot banking Trojan

Today we start with a fake Barclays Bank Email, that has a link to “https://sm-barclays.com/b/b.e?r=victim@victimsdomain.com&n=%2FIWWIQX49Zj2QZhhK0un0A%3D%3D” that will eventually download or automatically run a VBS file. which downloads the Trickbot binary ( see malware section below) The email is in a number of European languages, but the link is identical in all cases.

This is only designed to work in Internet Explorer and the criminals have set up the delivery chain to specifically exclude any recipient using Google Chrome or Firefox browsers, where you get this message when following the link in the email.

Fake Barclays site in Firefox

When I tried to use Internet Explorer I got a simple page saying is IE and nothing else.

The code of that page is shown below. Whether my IP was on a block list or whether I was too quick & the chain wasn’t live is unknown at this time. However other researchers also couldn’t get anything initially and it took them some time before the site became active or they could get the vbs file.

Barclays Bank has not been hacked or had their email or other servers compromised. They are not sending the emails to you. They are just innocent victims in exactly the same way as every recipient of these emails.

What has happened is that the criminals sending these have registered various domains that look like genuine Company, Bank, Government or message sending services. Normally there is one newly registered domain using 4 separate IP addresses and servers to send the emails that imitate Companies House, HMRC, another Government department, a Bank, file hosting service or a message sending service that can easily be confused with the genuine organisation in some way. Some days however we do see dozens or even hundreds of fake domains.

Malware Details

Today we start with a fake Barclays Bank Email, that has a link to https://sm-barclays.com/b/b.e?r=victim@victimsdomain.com&n=%2FIWWIQX49Zj2QZhhK0un0A%3D%3D which redirects to https://sm-barclays.com/second.html which then redirects to https://sm-barclays.com/script.vbsVirusTotal | Anyrun |

This encoded vbs downloads the Trickbot binary from one of these 2 sites http://aasoftbd.org/oi.bin http://algysautos-cyprus.com/oi.bin via an encoded powershell script embedded in the VBS. VirusTotal

Note the exploit is actually contained within the VBS. I don’t know if the vbs autoruns or tries to autorun on a vulnerable system, just by the recipient of the email following the link(s) in the email or whether you get a save file or run file prompt. Obviously all the sites are down now and were already down when I got home last night.

They have also changed to C:\Users\User Name\AppData\Roaming\tarutils as the folder location to run the malware and store the config files. Today we have Gtag ser 0625

The “&n=%2FIWWIQX49Zj2QZhhK0un0A%3D%3D” reference number or tracking ID number was the same in all copies of the emails that I received to several different email addresses & domains.